官网: Spring Security 中文文档 参考手册 中文版

1.SpringSecurity知识

          Java 领域老牌的权限管理框架当属 Shiro 了。 Shiro 有着众多的优点，例如轻量、简单、易于集成等。当然 Shiro 也有不足，例如对 OAuth2 支持不够，在 Spring Boot 面前无法充分展示自己的优势等等，特别是随着现在 Spring Boot 和 Spring Cloud 的流行，Spring Security 正在走向舞台舞台中央

       对于一个权限管理框架而言，无论是 Shiro 还是 Spring Security，最最核心的功能，无非就是两方面：认证和授权

通俗点说，认证就是我们常说的登录，授权就是权限鉴别，看看请求是否具备相应的权限。

Spring Security 支持基于 URL 的请求授权（例如微人事）、支持方法访问授权以及对象访问授权。

        安全这一块从来都有说不完的话题，一个简单的注册登录很好做，但是你要是考虑到各种各样的攻击，XSS、CSRF 等等，一个简单的注册登录也能做的很复杂。

幸运的是，即使你对各种攻击不太熟悉，只要你用了 Spring Security，就能自动避免掉很多攻击了，因为 Spring Security 已经自动帮我们完成很多防护了。

2.Springboot+Security+Mysql 

    1.这是项目界面图

 2.创建数据库

SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;

-- ----------------------------
-- Table structure for role
-- ----------------------------
DROp TABLE IF EXISTS `role`;
CREATE TABLE `role`  (
  `id` int NOT NULL AUTO_INCREMENT,
  `name` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 3 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = DYNAMIC;

-- ----------------------------
-- Records of role
-- ----------------------------
INSERT INTO `role` VALUES (1, 'admin');
INSERT INTO `role` VALUES (2, 'user');

-- ----------------------------
-- Table structure for user
-- ----------------------------
DROP TABLE IF EXISTS `user`;
CREATE TABLE `user`  (
  `id` int NOT NULL AUTO_INCREMENT,
  `username` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  `password` varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL,
  PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = DYNAMIC;

-- ----------------------------
-- Records of user
-- ----------------------------
INSERT INTO `user` VALUES (1, 'admin', '$2a$10$BR05R/2KEZasiHovU.5Seuq0vllT5SCRCDn5xmXEe8hF/4BO9OyrO');
INSERT INTO `user` VALUES (2, 'zhangsan', '$2a$10$BR05R/2KEZasiHovU.5Seuq0vllT5SCRCDn5xmXEe8hF/4BO9OyrO');
INSERT INTO `user` VALUES (3, 'zhaosi', '$2a$10$f/FUkz92i6xpHS/9sB7ZmO1gmm/0E748FzBC6FEfDqOmmHTcapMD2');

-- ----------------------------
-- Table structure for userrole
-- ----------------------------
DROP TABLE IF EXISTS `userrole`;
CREATE TABLE `userrole`  (
  `id` int NOT NULL AUTO_INCREMENT,
  `uid` int NULL DEFAULT NULL,
  `rid` int NULL DEFAULT NULL,
  PRIMARY KEY (`id`) USING BTREE
) ENGINE = InnoDB AUTO_INCREMENT = 4 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = DYNAMIC;

-- ----------------------------
-- Records of userrole
-- ----------------------------
INSERT INTO `userrole` VALUES (1, 1, 1);
INSERT INTO `userrole` VALUES (2, 1, 2);
INSERT INTO `userrole` VALUES (3, 2, 2);

SET FOREIGN_KEY_CHECKS = 1;

3.创建springboot项目 

3.1pom.xml依赖

    4.0.0
    
        org.springframework.boot
        spring-boot-starter-parent
        2.6.2
         
    
    com.xmx
    springsecurity_j9_demo1
    0.0.1-SNAPSHOT
    war
    springsecurity_j9_demo1
    Demo project for Spring Boot
    
        1.8
    
    
        
            org.springframework.boot
            spring-boot-starter-security
        
        
            org.springframework.boot
            spring-boot-starter-thymeleaf
        
        
            org.springframework.boot
            spring-boot-starter-web
        
        
            org.thymeleaf.extras
            thymeleaf-extras-springsecurity5
        

        
            org.springframework.boot
            spring-boot-starter-tomcat
            provided
        
        
            org.springframework.boot
            spring-boot-starter-test
            test
        
        
            org.springframework.security
            spring-security-test
            test
        

        
            org.mybatis.spring.boot
            mybatis-spring-boot-starter
            2.2.0
        
        
            mysql
            mysql-connector-java
            8.0.25
            runtime
        
    

    
        
            
                org.springframework.boot
                spring-boot-maven-plugin
            
        
    

3.2 application.properties配置

#视图解析器
spring.mvc.view.prefix=/
spring.mvc.view.suffix=.html

#mysql
spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
spring.datasource.url=jdbc:mysql://127.0.0.1:3306/security?characterEncoding=utf-8
spring.datasource.username=root
spring.datasource.password=root
#dao
#与文件目录一致
mybatis.type-aliases-package=com.xmx.springsecurity_j9_demo1.entity
mybatis.mapper-locations=classpath:mapping
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.exceptionHandling().accessDeniedPage("/error.html");
         http.authorizeRequests()
                 .antMatchers("/","/userlogin")
                 .permitAll()
                 //为URL添加访问权限
                 .antMatchers("/admin
    @Override
    protected void configure(AuthenticationManagerBuilder auth) throws Exception {
        System.out.println(passwordEncoder().encode("123"));
        //从数据库取到用户信息，并加载他的角色
        auth.userDetailsService(userService).passwordEncoder(passwordEncoder());
        
    }
    //指定密码的加密方式
    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
}

3.6.Controller层

 AdminController

package com.xmx.springsecurity_j9_demo1.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class AdminController {
    @RequestMapping("admin/list")
    public String list(){
        return "admin/adminIndex";
    }
}

UserController

package com.xmx.springsecurity_j9_demo1.controller;

import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.RequestMapping;
@Controller
public class UserController {
    @RequestMapping("/userlogin")
    public String login(){
        System.out.println("-------login---------");
        return "login";
    }
    @RequestMapping("/index")
    public String index(){
        System.out.println("-------index---------");
        return "index";
    }
    @RequestMapping("/user/list")
    public String list(){
        return "user/userIndex";
    }

}

RoleDao

package com.xmx.springsecurity_j9_demo1.dao;
import com.xmx.springsecurity_j9_demo1.entity.Role;
import org.apache.ibatis.annotations.Mapper;
import java.util.List;
@Mapper
public interface RoleDao {
    
    public List getRoles(int uid);
}

3.7.Dao层

UserDao

package com.xmx.springsecurity_j9_demo1.dao;

import com.xmx.springsecurity_j9_demo1.entity.User;
import org.apache.ibatis.annotations.Mapper;
@Mapper
public interface UserDao {
    public User userLogin(String name);
}

3.8.实体类层

Role

package com.xmx.springsecurity_j9_demo1.entity;

public class Role {
    private int id;
    private String name;

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getName() {
        return name;
    }

    public void setName(String name) {
        this.name = name;
    }
}

User

package com.xmx.springsecurity_j9_demo1.entity;
import java.util.List;
public class User{
    private int id;
    private String username;
    private String password;
    //角色处理,一个用户对象中包含有多个角色对象
    private List role;

    public int getId() {
        return id;
    }

    public void setId(int id) {
        this.id = id;
    }

    public String getUsername() {
        return username;
    }

    public void setUsername(String username) {
        this.username = username;
    }

    public String getPassword() {
        return password;
    }

    public void setPassword(String password) {
        this.password = password;
    }

    public List getRole() {
        return role;
    }

    public void setRole(List role) {
        this.role = role;
    }
}

3.9.业务层

UserServiceImpl

package com.xmx.springsecurity_j9_demo1.service.impl;

import com.xmx.springsecurity_j9_demo1.dao.UserDao;
import com.xmx.springsecurity_j9_demo1.entity.Role;
import com.xmx.springsecurity_j9_demo1.entity.User;
import com.xmx.springsecurity_j9_demo1.service.UserService;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;

import java.util.ArrayList;
import java.util.List;

@Service
public class UserServiceImpl implements UserService {
    @Autowired
    UserDao userDao;
    @Override
    public User userLogin(String name) {
        return null;
    }

    @Override
    public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
        User user =  userDao.userLogin(username);
        if(user == null){
            throw new UsernameNotFoundException("用户名" + username + "不存在！");
        }
        //定义权限列表.
        List list = new ArrayList<>();
        // 用户可以访问的资源名称（或者说用户所拥有的权限） 注意：必须"ROLE_"开头
        for(Role role : user.getRole()){
            list.add(new SimpleGrantedAuthority("ROLE_"+role.getName()));
        }
        //创建一个让Security所认可的验证对象
        org.springframework.security.core.userdetails.User userdetails = new
                org.springframework.security.core.userdetails.User(username,user.getPassword(),list);
        return userdetails;
    }
}

UserService

package com.xmx.springsecurity_j9_demo1.service;

import com.xmx.springsecurity_j9_demo1.entity.User;
import org.springframework.security.core.userdetails.UserDetailsService;


public interface UserService extends UserDetailsService {
    //用户登录
    public User userLogin(String name);
}

4.运行结果：

4.1 管理员登录

点击登录，准备输入账号admin，密码123

admin登录运行结果：

 点击管理员后台

点击返回，再点击用户后台

4.2用户登录

点击返回后，点击安全退出，准备输入账号zhangsan，密码123

只能看到普通用户后台，看不到管理员后台。这是因为权限控制了

点击用户后台

 安全退出，输入错误账号密码后登录运行结果

4.3 没有登录，强行进入用户后台，

地址栏输入：http://localhost:8080/user/list。还是会跳登录界面

 

运行结果：

4.4 用户登录后，强行进入管理员后台，

地址栏输入：http://localhost:8080/admin/list

运行结果：